LiveActive security incident?Get immediate response
CVE Record

CVE-2024-57901: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK

In the Linux kernel, the following vulnerability has been resolved: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found by syzbot. Rework vlan_get_protocol_dgram() to not touch skb at all, so that it can be used from many cpus on the same skb. Add a const qualifier to skb argument. [1] skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:206 ! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:skb_panic net/core/skbuff.c:206 [inline] RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216 Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 RSP: 0018:ffffc900038d7638 EFLAGS: 00010282 RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60 R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140 R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011 FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_push+0xe5/0x100 net/core/skbuff.c:2636 vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585 packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1055 ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x426/0xab0 net/socket.c:2940 __sys_recvmmsg net/socket.c:3014 [inline] __do_sys_recvmmsg net/socket.c:3037 [inline] __se_sys_recvmmsg net/socket.c:3030 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f

MediumCVSS 5.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel denial-of-service issue. A local low-privileged user or process could trigger a kernel crash through AF_PACKET handling, causing system availability impact. The sources do not show data theft, data modification, or remote network exploitation.

Executive priority

Schedule remediation in the normal high-availability patch cycle, with faster handling for multi-user, hosted, or operationally critical Linux systems. Business risk is service disruption, not confirmed compromise or data exposure based on the provided evidence.

Technical view

AF_PACKET handling in vlan_get_protocol_dgram() mishandles MSG_PEEK and can alter shared sk_buff state, leading to skb_under_panic and a kernel BUG during packet_recvmsg/recvmmsg. CVSS is 5.5: local, low complexity, low privileges, no user interaction, availability high.

Likely exposure

Exposure is most relevant on Linux systems where untrusted local users, workloads, or containers can reach AF_PACKET behavior. The provided data lists Linux kernel versions and stable fixes, plus Debian LTS and Siemens advisories. Remote-only exposure is not supported by the CVSS vector.

Exploitation context

The source bundle cites syzbot discovery and a crash trace. It does not cite public exploitation, weaponized exploit availability, or CISA KEV listing; KEV is false. Treat this as a local availability risk rather than confirmed active exploitation.

Researcher notes

Focus validation on AF_PACKET reachability, local privilege boundaries, container namespace policy, and whether vendor kernels include the upstream stable fixes. The source bundle does not provide enough evidence to claim remote reachability or exploitation beyond a crash proof found by syzbot.

Mitigation direction

  • Apply vendor kernel updates that include the referenced stable fixes.
  • Check Debian LTS and Siemens advisories if those distributions or products are used.
  • Prioritize shared servers, multi-tenant hosts, and container platforms with untrusted workloads.
  • Review vendor guidance before using temporary controls as a substitute for patching.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and container hosts.
  • Compare deployed kernels against vendor advisories and the referenced stable fix commits.
  • Identify systems allowing untrusted local shell, jobs, or container workloads.
  • Confirm patched systems rebooted into the updated kernel.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-57901 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
3ADP providers
12Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.5CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H1.83.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

5.5Medium
CVSS 3.1 vector shape for CVE-2024-57901Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxc77064e76c768fb101ea5ff92dc771142fc9d8fd, 83e2dfadcb6258fe3111c8a8ec9cf34465e55e64, d0a1f9aa70f0d8a05b6320e8a3f3b83adab8dac3, 5839f59ff1dd4e35b9e767927931a039484839e1, 5a041d25b67042cbe06a0fb292ee22fd1147e65c, 79eecf631c14e7f4057186570ac20e2cfac3802e, 79eecf631c14e7f4057186570ac20e2cfac3802e, 3dfd84aa72fa7329ed4a257c8f40e0c9aff4dc8f, 66f23a7b5174b5d3e7111fd2d0d5a4f3faaa12e5, 5.4.282, 5.10.224, 5.15.165, 6.1.103, 6.6.44, 4.19.320, 6.10.3unaffected
LinuxLinux6.11, 0, 5.4.289, 5.10.233, 5.15.176, 6.1.124, 6.6.70, 6.12.9, 6.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.